Getting Data In

Start a Conversation

Discussions

Start a Conversation

Thread Info

I have a question about raw data and index data in indexer. Please help me to understand.

Hi friend, I've a server and already install splunk. This server has many log file (tar.gz) that import from anoth...

by Explorer in

Question regarding .tsidx and journal.gz file

Hi, I have Splunk installed on Linux and my /data directory is going to full very soon and on further findings wha...

by Communicator in

Is there an ssh connection to the Splunk Cloud server, or does only Splunk support have it?

Hello, Is there an ssh connection to Splunk Cloud server or does only Splunk support have it? Tnx

by Path Finder in

Dedicated Syslog collector or Splunk at port 514

I read somewhere that it's not advisable to use Splunk at port 514 to collect syslog events but instead us a dedicate...

by Path Finder in

How to configure nullQueue to filter out repetitive lines from a log file before indexing?

Splunk 6.1 Linux indexers feeding server with master license. I am trying to filter out repetitive lines from a lo...

by New Member in

Why are we seeing duplicate data coming from a Splunk Enterprise forwarder to an external syslog server?

I am seeing duplicate events coming from SPLUNK to our external logger. external syslog server is 10.1.1.25 It app...

by New Member in

TimeStamp problem

Hi, I have a timestamp problem on Splunk. I am working with log file who looks like : numberline;date;ips...

by Explorer in

Why are manual edits to props.conf not taking effect in Splunk Light?

Hello guys, I am new to splunk and I am having troubles in getting my changes to props.conf (from .../Splunk/etc/a...

by New Member in

How to troubleshoot why I am not getting any data in the Splunk App for Active Directory?

Hi All! My issue is I am not able to get the data in Splunk App for Active Directory (Topology, controllers etc). ...

by Path Finder in

How to set time interval on a universal forwarder to check a specific file in directory?

Hi, I have one application at my company which logs only once a day. It hereby overwrites the file of the day be...

by SplunkTrust in

How do I know and change at what time is Splunk indexing the data from local files?

Hello all, I have a question. Every night, between 00:00 and 01:30 at night, the data is being actualized by scrip...

by Contributor in

How should I configure a Heavy Forwarder outputs.conf to work with the distributed management console?

Dear All, I have been getting ready to set up Distributed Management Console after our upgrade to Splunk 6.3.2 and...

by Communicator in

Why does event breaking sometimes occur in the middle of multiline events with my current configuration?

We have a forwarder installed on a Linux server that forwards data from application log files to our indexer. On the ...

by Explorer in

How do I edit my wineventlog configuration to blacklist a specific SourceName?

Hello, everyone. I am having trouble finding a solution to blacklisting a SourceName called "SCLIntra Mobile Sync ...

by Communicator in

Syslog server "host" field question

The Splunk documentation defines “host” as being “an event host value is typically the hostname, IP address, or fully...

by Path Finder in

Can I blacklist sourcetype or Index?

We have client logs getting indexed using Rest API and our license is overloaded with high volume. Because of REST AP...

by Path Finder in

splunk ignoring LINE_BREAKER

I've configured a source type in props.conf with LINE_BREAKER = (\n+) to remove the \r from the default value. This w...

by Path Finder in

When is it appropriate to set followTail to 'true'?

What is the appropriate use of 'followTail' for file monitor inputs in inputs.conf? In which cases is it useful to se...

by Splunk Employee in

Where did I go wrong with my inputlookup search?

Hello all. I have not been able to populate a table via a search that uses inputlookup. My table is only populati...

by Engager in

2 easy questions about indexes.conf

Somehow our default time changed from 30 days to ~6 years and going though indexes.conf in $SPLUNKHOME/etc/system/loc...

by Builder in

Get Updates on the Splunk Community!

Getting Data In

Discussions

I have a question about raw data and index data in indexer. Please help me to understand.

Question regarding .tsidx and journal.gz file

Is there an ssh connection to the Splunk Cloud server, or does only Splunk support have it?

Dedicated Syslog collector or Splunk at port 514

How to configure nullQueue to filter out repetitive lines from a log file before indexing?

Why are we seeing duplicate data coming from a Splunk Enterprise forwarder to an external syslog server?

TimeStamp problem

Why are manual edits to props.conf not taking effect in Splunk Light?

How to troubleshoot why I am not getting any data in the Splunk App for Active Directory?

How to set time interval on a universal forwarder to check a specific file in directory?

How do I know and change at what time is Splunk indexing the data from local files?

How should I configure a Heavy Forwarder outputs.conf to work with the distributed management console?

Why does event breaking sometimes occur in the middle of multiline events with my current configuration?

How do I edit my wineventlog configuration to blacklist a specific SourceName?

Syslog server "host" field question

Can I blacklist sourcetype or Index?

splunk ignoring LINE_BREAKER

When is it appropriate to set followTail to 'true'?

Where did I go wrong with my inputlookup search?

2 easy questions about indexes.conf

Splunk Forwarders and Forced Time Based Load Balancing

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

how splunk can detect wineventlog for "remote desk...

Delay in Access Logs from S3

Why is universal forwarder phonehome not interpret...

Why can't I see FortiAP logs?

Why am I having this issue with HEC guid?